Identifying Factors Affecting Deleted File Persistence Through Empirical Study and Analysis A Dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy at George Mason University by Tahir Mehmood Khan Master of Science George Washington University, 2011 Bachelor of Science Saint Cloud State University, 2006 Director: James H. Jones, Jr, Associate Professor Department of Electrical & Computer Engineering Summer Semester 2017 George Mason University Fairfax, VA Copyright 2017 Tahir Mehmood Khan All Rights Reserved ii DEDICATION To my parents, family members, friends, and my professors who inspired me to complete this research. iii ACKNOWLEDGEMENTS I would like to thank my advisor and dissertation Chair, Dr. James Jones for his extraordinary support, mentorship, and expert guidance to complete this research. I also would like to thank my committee members: Dr. Duminda Wijesekera, Dr. Kathryn B. Laskey and Dr. Paulo Costa for their support and guidance throughout this project. My appreciation goes to my family, my parents and my wife for standing beside me to take this journey to the end. Last but not the least, special thanks goes to the members of the Krypton group and my colleagues at George Mason University and Gallaudet University who supported and guided me throughout this project. iv TABLE OF CONTENTS Page List of Tables ................................................................................................................... viii List of Figures ..................................................................................................................... x List of Abbreviations ........................................................................................................ xii Abstract ............................................................................................................................ xiii Chapter One: Introduction ................................................................................................ 15 Motivation ..................................................................................................................... 16 Research Question ......................................................................................................... 17 Contributions ................................................................................................................. 20 Chapter Two: Literature Review ...................................................................................... 21 Chapter Three: Methodology ............................................................................................ 27 Experimental Design ..................................................................................................... 27 Tracking Deleted Files .................................................................................................. 30 User Defined Parameters for Adiff.py Script ................................................................ 39 User Defined Parameters for Trace_file.py Script ........................................................ 40 Factors that Influence Persistence of Deleted Files ...................................................... 41 Disk and System Parameters ..................................................................................... 42 Deleted Files Parameters ........................................................................................... 44 User Activity Profiles ................................................................................................ 47 Deleted Files .................................................................................................................. 57 Deleted Files Categories ............................................................................................ 58 Deleted Files in 0-5 MB Group ................................................................................. 60 Percentage of File Contents Completely Overwritten ............................................... 61 Percentage of File Contents Partially Overwritten .................................................... 62 Percentage of File Contents Completely Survived .................................................... 63 Distribution of New Files .............................................................................................. 65 Shutdown User Activity ............................................................................................ 65 v Reboot-three-times User Activity .............................................................................. 67 Reboot User Activity ................................................................................................. 68 Web User Activity ..................................................................................................... 69 One-hour-reboot User Activity .................................................................................. 71 Reboot-one-hour User Activity ................................................................................. 72 3-GB User Activity .................................................................................................... 74 Experiment-data Activity .......................................................................................... 75 Mix-data Activity ...................................................................................................... 77 File Creation and Deletion Process and Virtual Machine Configuration Settings ........ 79 File Creation Process ..................................................................................................... 79 Application Uninstalled List ......................................................................................... 80 Virtual Machine Configuration Settings ....................................................................... 81 PassMark Fragger Utility and Disk Fragmentation Status ............................................ 82 Virtual Machine Suspend Procedure ............................................................................. 85 Virtual Machine Files Disk Components ...................................................................... 85 Raw Disk Image Conversion Process ........................................................................... 88 Chapter Four: Results and Analysis .................................................................................. 89 Effect of User Activities on Deleted Files .................................................................... 89 User Activities and User Actions .................................................................................. 91 Percentage of File Contents Completely Overwritten ............................................... 93 Percentage of File Contents Partially Overwritten .................................................... 96 Percentage of File Contents Completely Survived .................................................... 99 User Activities and Deleted File Size ......................................................................... 103 Fragmented and Non-Fragmented Files ...................................................................... 107 Disk Free Bytes ........................................................................................................... 110 Disk Fragmentation ..................................................................................................... 112 Disk Free Bytes and Disk Fragmentation ................................................................... 115 User and System Generated Files................................................................................ 120 File Path....................................................................................................................... 123 Chapter Five: Conclusions .............................................................................................. 126 Research Findings ....................................................................................................... 126 Primary Contributions ................................................................................................. 129 vi Secondary Contributions ............................................................................................. 130 Implications of the Research ....................................................................................... 130 Future Directions ......................................................................................................... 131 APPENDIX I SYSTEM CONFIGURATION SETTINGS ........................................... 132 APPENDIX II ................................................................................................................. 136 APPENDIX III ................................................................................................................ 138 References ....................................................................................................................... 200 vii LIST OF TABLES Table Page Table 1 Disk and system parameter names and types ....................................................... 18 Table 2 Deleted file parameter names .............................................................................. 18 Table 3 User activity profile parameter names ................................................................. 18 Table 4 Disk parameter adjustments ................................................................................
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages204 Page
-
File Size-